Mozilla Fixes Vulnerabilities, Disables SSL 3.0 in Firefox 34

Mozilla released Firefox 34 on Monday and, as it promised in October, the company disabled Secure Sockets Layer (SSL) 3.0 support to protect users against Padding Oracle On Downgraded Legacy Encryption (POODLE) attacks.

"SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users’ private information," Mozilla said in October.

Google also intends to disable SSL 3.0 in Chrome with the release of version 40 of the Web browser. In the meantime, the search engine company has disabled fallback to SSL 3.0 to protect users.

With the release of Firefox 34, Mozilla has addressed a total of eight vulnerabilities, three of which have been rated as "critical," which indicates that an attacker can leverage them to execute arbitrary code without user interaction beyond normal browsing.

One of the critical flaws, discovered by Abhishek Arya (Inferno) of the Google Chrome Security Team, has been described as a buffer overflow during the parsing of media content (CVE-2014-1593). Berend-Jan Wever has identified a use-after-free bug caused by triggering the creation of a second root element while parsing HTML written to a document created with the "document.open()" function (CVE-2014-1592). Both these critical issues could lead to a potentially exploitable crash.

Various memory safety bugs reported by several researchers (CVE-2014-1588, CVE-2014-1587) are also considered critical and have been addressed.

An interesting high-impact issue was reported to Mozilla by security researcher Kent Howard, who found that the CoreGraphics framework in Apple's OS X 10.10 (Yosemite) creates log files containing a record of all data, including usernames and passwords, entered into Mozilla programs during their operation (CVE-2014-1595).

"This issue has been addressed in Mozilla products by explicitly turning off the framework's logging of input events," Mozilla explained in an advisory.

Potentially exploitable behavior (CVE-2014-1594) has been reported by Byoungyoung Lee, Chengyu Song, and Taesoo Kim from the Georgia Tech Information Security Center (GTISC). Another high-impact issue has been discovered by security researcher Muneaki Nishimura. The bug (CVE-2014-1591) affects Content Security Policy (CSP) and it could be leveraged by a malicious website to obtain sensitive information such as usernames and single-sing-on tokens.

The medium-impact vulnerabilities fixed with the release of Firefox 34 have been described as "XMLHttpRequest crashes with some input streams," and "XBL bindings accessible via improper CSS declarations."

In addition to security-related fixes, Firefox 34 brings a few noteworthy changes in functionality. Mozilla has introduced Firefox Hello, a WebRTC feature allowing users to make voice and video calls without the need to install any applications or plugins.

The company has dropped Google as its default search engine. In the United States, Google has been replaced with Yahoo, while in Belarusian, Kazakhstan, and Russia the new default search engine is Yandex.

Eduard Kovacs is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.